Assess secret storage systems for Lagoon

[kurtfoster]

Currently it's not possible to store secret environment variables across an entire OpenShift project. Each new environment that is created for a new PR or branch needs to have ENV vars set manually in the deployment. Could we move to Vault to manage this instead of env?

Based on some investigations in our project, the following steps outline what may be needed to achieve a production level integration of Vault.

Install Consul.

** https://github.com/kubernetes/charts/tree/master/stable/consul

Install Vault.

** https://github.com/kubernetes/charts/tree/master/incubator/vault

Install the Goldfish Vault Web UI.

** https://github.com/kubernetes/charts/tree/master/incubator/goldfish
** https://github.com/Caiyeon/goldfish

Configure the Vault Kubernetes Auth Backend.

** https://www.vaultproject.io/docs/auth/kubernetes.html
** This will allow Kubernetes service accounts to authenticate to Vault.

For each application that is to use Vault stored secrets.

** Create a `ConfigMap` with a file defining the secrets to be consumed.
** Change the Dockerfile ENTRYPOINT for the workload so that `vaultenv` is used to fetch the secrets from Vault and store them in environment variables.
** https://github.com/channable/vaultenv
** The section “Exposing Secrets to Applications” from this article goes into more detail about using `vaultenv` - https://www.elastic.co/blog/kubernetes-vault-integration-devops-team

[Schnitzel]

Thanks for this @kurtfoster There is also #65 which covers another idea of this.

Will definitely look into Vault and check how we can use that in a PaaS enviornment where multiple clients need access to the Vault but should not have access to each others Secrets

[markxtji]

it looks to me that git-secret is something worth consideration.

http://git-secret.io/

[Schnitzel]

Had a meeting today with @thom8 and @markxtji

We discussed a couple of ideas, and the current working idea is:

1. deploy a development vault into the OpenShift Cluster via helm/tiller (already done in our test environment)
2. access vault via local and the UI (already done in test environment)
3. Find out how the individual openshift projects can authenticate their Kubernetes Service Account against Vault (see https://www.vaultproject.io/docs/auth/kubernetes.html#configuration)
4. How to extract vault secrets as environment variables (maybe https://github.com/channable/vaultenv ?)

with this setup we should be able to save secrets via the vault local CLI and load them inside containers, this would not really be a multi-tenant system or so, but a good start

Future things to implement:

• Vault Policies so that the different environment cannot access each other
• Lagoon API connector to Vault (create, edit, get secrets from Vault via the Lagoon API)
• capability to have default secrets (for dev, staging, etc.) and a specific secret for production

[nicksantamaria]

I would recommend looking at the CoreOS vault operator - https://github.com/coreos/vault-operator

This way you could have your helm charts include a vault resource, and with RBAC rules and service accounts you could have isolation of vaults to their particular environment.

Unsealing is still a bit of a pain, but I've seen a lot recommendations to use https://github.com/jetstack/vault-unsealer on hn.

[Schnitzel]

As discussing with another client, we could also use Keycloak for secrets management?

[ocean]

Hi Michael, has there been any further progress on this secrets storage system?

[fubarhouse]

We're also interested in a supported solution.

[Opswatch]

This might be interesting for you https://github.com/banzaicloud/bank-vaults

[Schnitzel]

This might be interesting for you https://github.com/banzaicloud/bank-vaults

thanks @Opswatch ! will have a look :)

[Schnitzel]

we talked about this again during lagoon tech sync:

• the easiest and highest adding of security would be to encrypt the env variables in the lagoon api db and decrypt them when they are loaded.

[anothertobi]

Vault might no longer be a good fit for Lagoon due to the license changes that happened. Building this directly in Lagoon would be an option that solves this.